Sergey Nivens - Fotolia

Manage Learn to apply best practices and optimize your operations.

NIST CSF provides guidelines for risk-based cybersecurity

Organizations benefit from identifying their unique risks when developing cybersecurity processes. Here's how the NIST Cybersecurity Framework can help guide risk-based IT protection.

In 2014, the National Institute of Standards and Technology published version 1.0 of its "Framework for Improving Critical Infrastructure Cybersecurity." Commonly known as the NIST Cybersecurity Framework, its development was in response to Presidential Executive Order 13636 in February 2013: Improving Critical Infrastructure Cybersecurity. Subsequent versions of the NIST CSF appeared in 2017 and 2018, with the most recent version published in April 2018.

The NIST CSF provides guidance for organizations to better manage their cybersecurity risk. This guidance is based on existing standards and practices and gives organizations an easier-to-understand and easier-to-use way to improve cybersecurity and business efficiency over previously existing regulatory cybersecurity publications such as NIST 800-53.

NIST CSF: A guide to risk-based cybersecurity

It is important to emphasize that the NIST CSF is a risk-based framework and approach to cybersecurity management. In a risk-based approach to cybersecurity management, an organization first develops a clear picture of what it needs to protect: critical assets, vital business processes and the people, process, technology, information and facilities that must be secured in order to successfully operate the business. An organization should also consider its mission, vision, values and critical success factors as part of this process.

Secondly, the organization develops an understanding of its risk environment, including how it will be impacted if a threat becomes active and the risk is realized.

Lastly, in a risk-based cybersecurity approach, the organization prioritizes the identified risks and develops protection processes, mitigation strategies and controls to counter these specific risks.

Another common cybersecurity approach is to use a control-based framework or standard. In this approach, a list of cybersecurity controls is implemented in a checklist manner simply because the control is included on the list. A checklist approach does not factor in what is important to the continuity of a specific business or the specific elements of a given organization's risk environment.

In a risk-based approach to cybersecurity management, an organization first develops a clear picture of what it needs to protect.

Such an approach may lead to organizations implementing controls that are not needed, while taking resources away from more relevant and important controls. Implementing cybersecurity controls can be expensive, disruptive to the organization and time-consuming. Therefore, it makes sense to implement those controls that will have the greatest benefit to the organization and will block the most damaging cybersecurity risk scenarios.

NIST CSF benefits

The NIST CSF is intended to help organizations identify, implement and improve cybersecurity practices and creates a common risk-based language for communication of cybersecurity issues. This risk-based common language is vital to integrate with enterprise risk management, as well as communicate cybersecurity concerns throughout the organization.

The NIST CSF uses business drivers to guide cybersecurity activities. At a high level, the NIST CSF describes five core cybersecurity functions. Those functions are:

  1. Identify critical assets and business functions;
  2. Protect assets and functions by developing safeguards for service delivery;
  3. Detect cybersecurity events and incidents;
  4. Respond to detected events and incidents; and
  5. Recover and then restore services and capabilities that were affected by a cybersecurity event or incident.

These functions are intended to align with existing cybersecurity incident management functions that have long been in use and help identify where cybersecurity resources have been effectively deployed. These five functions include tremendous detail, but having the top-level NIST CSF also provides an assessment instrument that helps determine the current threat state, set goals for cybersecurity and develop a plan of action for a cybersecurity risk management program.

At least two cybersecurity "profiles" must be developed. One organizational profile is the current state profile that documents the starting point for cybersecurity risk management. The other organizational profile is the target profile that describes a desired end state for cybersecurity risk. The use of these organizational profiles will help an organization "align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances and resources," according to the framework. A NIST CSF profile is a flexible, highly specific description of an organization's specific cybersecurity current state and desired end state. There are profile templates available for many types of critical infrastructure security as well.

Using the NIST CSF as a risk-based cybersecurity approach is a way to effectively and proactively protect against threats. This approach gives organizations a way to develop cybersecurity risk profiles that represent where they are and then create a map forward to the desired end state for their cybersecurity programs. It's also important to remember that using a language familiar to the enterprise risk community, as well as incident responders, removes additional barriers to widespread adoption.

This was last published in December 2019

Dig Deeper on Risk assessments, metrics and frameworks

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

What are the benefits of risk-based cybersecurity vs. control-based cybersecurity?
Cancel

You wrote on that the Recover Function is to restore services and capabilities that were affected by a cybersecurity event or incident.  May I add that this function provides support for recovery to normal services and capabilities by reducing the impact of a cybersecurity event or incident?  I am the one who wrote the Ask The Expert articles and tips on the use of some NIST publications for two or three years for SearchSecurity  I am CRISC (Certification in Risks and Information Systems Control). 


Cancel
Glad to meet you Peter Sullivan.  May I introduced myself that I was appointed as the ADP Security Officer (equivalent to Information System Security Officer).  I was in charge of managing risk assessments of about 1000 information systems throughout a naval facility.  I had about 100 people from different departments and divisions to work for me in preparing risk assessments of one or more systems for which they were responsible.  The benefits of the risks are that we determined the quantitative ratings for a risk level -- from low to high.  Controls were part of the risk assessment.  If the controls changed due to regulations, standards and organizational policies, we determined if they resulted in change of risk ratings.  Have a great day!
Cancel

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close